Q. 
UJ 



® 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




@ Publication number: 0 532 231 A2 
EUROPEAN PATENT APPLICATION 



@ Application number : 92308004.8 
(g) Date of filing : 03.09.92 



@ int CI. 6 : H04L9/32 



@ Priority : 13.09.91 US 759311 

@ Date of publication of application : 
17.03.93 Bulletin 93/11 

© Designated Contracting States : 
DE FR GB SE 

© Applicant: AMERICAN TELEPHONE AND 
TELEGRAPH COMPANY 
32 Avenue of the Americas 
New York. NY 10013-2412 (US) 



© Inventor: Reeds lll r James Alexander 
127 Southgate Road 

New Providence, New Jersey 07974 (US) 

Inventor: Treventi, Philip Andrew 

15 Candlewood Drive 

Murray Hill, New Jersey 07974 (US) 

@ Representative : Buckley, Christopher Simon 
Thirek et ai 

AT & T (UK) Ltd. 5 Momington Road 
Woodford Green Essex IG8 OTU (GB) 



CO 
CM 

CM 

CO 

in 



@ Service provision authentication protocol. 

(§) A protocol for authenticating a cellular tele- 
phone to a service provider for the purpose of 
preventing the piracy of cellular services. A 
service provider assigns a unique "secret", 
along with other information such as a tele- 
phone number, to each cellular telephone when 
the telephone service is established with the 
service provider. Each base station of a service 
provider continuously broadcasts a periodically 
changing random number to all of the cellular 
telephones within the base station's jurisdic- 
tion. When a cellular telephone first enters the 
jurisdiction of a base station. It registers itself 
with the base station by concatenating a secret 
password ami the most recently broadcast ran- 
dom number, along with other information, and 
passing the concatenated information to a hash 
function. The cellular telephone then sends the 
output of the hash function, along with other 
identifying information to the service provider. 
The service provider, upon teaming of the cellu- 
lar telephone's identity, feeds the secret assig- 
ned to that cellular telephone and the random 
number, along with other information, into the 
same hash function. When the result of the 
hashing performed by the service provider 
matches that provided by the cellular tele- 
phone, authentication for that cellular tele- 
phone is complete. Thereupon, the provider 
sends the cell a shared secret data field which is 
known to the mobfle unit, and subsequent 
authentication processes are carried out be- 
tween the mobile unit and the cell Hserf. 
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Background of the Invention 

This invention relates to authentication protocols 
and more particularly to protocols for insuring validity 
of communicating radio-telephones and the like. s 

In conventional telephony each telephone set 
(fax unit modem, etc) is physically connected to a 
unique port on a switch at a local central office. The 
connection is through a dedicated wire, or through a 
designated channel on a dedicated wire. The wire w 
connection is installed by the service provider (who, 
typically, is the common carrier) and, therefore, the 
service provider can be reasonably sure that trans- 
mission on the channel arrives from the subscriber. 
By comparison, authentication of a subscriber in wire- is 
less telephony is less certain. 

Under the current cellular telephony arrange- 
ment in the United States, when a cellular telephone 
subscriber places a call, his or her cellular telephone 
indicates to the service provider the identity of the 20 
caller for billing purposes. This information is not en- 
crypted. If an interloper eavesdrops at the right time, 
he or she can obtain the subscriber's identification in- 
formation. This includes the subscrfoer's phone num- 
ber and the electronic serial number (ESN) of the sub- 25 
server's equipment Thereafter, the interloper can 
program his or her cellular telephone to impersonate 
that bona fide subscriber to fraudulently obtain ser- 
vices. Alternately, an interloper can inject himself into 
an established connection, overpower the customer's so 
cellular telephone equipment by transmitting more 
power, and redirect the call to his or her purposes by 
sending certain control codes to the service provider. 
Basically, such piracy will succeed because the ser- 
vice provider has no mechanism for independently 35 
authenticating the identity of the caller at the time the 
connection is established and/or while the connection 
is active. 

Technology is available to permit an eavesdrop- 
per to automatically scan all of the cellular frequen- 40 
cies in a given cell for such identification information. 
Consequently, piracy of cellular telephone services is 
rampant Also, the lack of enciphering of the speech 
signals lays bare to eavesdroppers the content of 
conversations. In short there is a clear and present 45 
need for effective security measures in the cellular 
telephony art and that suggests the use of cryptolo- 
gy for the purposes of ensuring authentication and 
privacy. 

Several standard cryptographic met hods exist for so 
solving the general sort of authentication problem 
that exists in cellular telephony, but each turns out to 
have practical problems. First, a classical chal- 
lenge/response protocol may be used, based on a pri- 
vate key cryptographic algorithm. In this approach, a 55 
subscriber's mobile station is issued with a secret key 
which also known by the home system. When a serv- 
ing system wishes to authenticate a subscriber, it ap- 



plies to the home system for a challenge and a re- 
sponse to use with the given subscriber. The home 
system composes a random challenge and applies a 
one-way function to the challenge concatenated with 
the subscribers key to obtain the corresponding re- 
sponse. The challenge and response are supplied to 
the serving system, which issues the challenge to the 
mobile station. The mobile station in turn replies with 
the response, which it calculates from the challenge 
and from its stored secret key. The serving system 
compares the responses supplied by the home sys- 
tem and by the mobile station, and if they match, the 
mobile station is deemed authentic. 

The problem with this approach is that often the 
serving system is unable to contact the home system 
quickly enough to allow authentication of a call setup, 
or that the database software on the home system is 
unable to look up the subscriber's secret key and 
compose the challenge/response pair quickly 
enough. Network or software delays of a second or 
two would add that much dead time till the subscriber 
hears a dial tone after picking up the handset when 
placing a call, and longer delays (given the control 
networks and switching apparatus currently used by 
cellular providers) would be common. In the present 
milieu, such delays are unacceptable. 

Public key cryptography provides another stan- 
dard class of ways for solving authentication prob- 
lems. Generally speaking, each mobile station would 
be provided with a "public key certificate" of identity, 
signed by the public key of the service provider, stat- 
ing that the mobile station is a legitimate customer of 
the service provider. In addition, each mobile would 
also be given secret data (private keys) which it can 
use, together with the certificate, to prove to third 
parties (such as the serving system) that it is a legit- 
imate customer. 

For example, service provider could have a pair 
of RSA keys, (F.G), with F private and G public. The 
service provider could supply each mobile with its 
own pair (D,E) of RSA keys, together with F (E) (the 
encryption of the mobile's public key E using the pro- 
vider's private key F). Then a mobile asserts its iden- 
tity by sending (E,F(E)) to the serving system. The 
serving system applies G to F(E) to obtain E. The 
serving system generates a challenge X, encrypts it 
with the mobile's public key E to obtain E(X) which it 
sends to the mobile. The mobile applies its private key 
D to E(X) to obtain X, which it sends back to the server 
in the clear as a response. 

Although some variations on this theme involve 
less computation or data transmission than others, no 
public key authentication scheme yet exists which is. 
efficiently executable in less than a second's time on 
the sort of hardware currently used in cellular tele- 
phones. Even though network connectivity between 
the serving and home systems is not needed at the 
moment of authentication, as it is in the classical ap- 
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preach, the same time constraints which rule out the 
classical approach also rule out the public key ap- 
proach. 

Another technique is proposed by R.M Needham 
and M.D. Schroeder in Using Encryption for Autherv 5 
tication in Large Computer Networks , Comm. of the 
ACM, Vol. 21, No. 12, 993-999 (Dec. 1978). In brief, 
the Needham-Schroeder technique requires that a 
third, trusted, party (AS) should serve as an authen- 
tication server which distributes session keys to the 10 
prospective parties (A and B) who are attempting to 
establish secure communications. The protocol is as 
follows: when party A wishes to communicate with 
party B, it sends to authentication server AS his own 
name, the name of party B and a transaction identi- 15 
f ier. Server AS returns the name of party B, a session 
key, the transaction identifier and a message en- 
crypted with B's key. All that information is encrypted 
with A's key. Party A receives the information, de- 
crypts it, selects the portion that is encrypted with B's 20 
key and forwards that portion to party B. Party B de- 
crypts the received messages and find It the name of 
party A and the session key. A last check (to prevent 
"replays") is made by party B issuing a challenge to 
party A and party A replies, using the session key. A 25 
match found at party B authenticates the identity of 
party A. 



Summary of the Invention 
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The security needs of cellular telephony are met 
with an arrangement that depends on a shared secret 
data field. The mobile unit maintains a secret that is 
assigned to it by the service provider, and generates 
a shared secret data field from that secret The ser- 36 
vice provider also generates the shared secret data 
field. When a mobile unit enters the cell of a base sta- 
tion, it identifies itself to the base station, and sup- 
plies to the base station a hashed authentication 
string. The base station consults with the provider, 40 
and if it is determined that the mobile unit is a bona 
fide unit, the provider supplies the base station with 
the shared secret data field. Thereafter the mobfle 
unit communicates with the base station with the as- 
sistance of authentication processes that are carried 45 
out between the mobOe unit and the base station, us- 
ing the shared secret data field. 

One feature of this arrangement is that the vari- 
ous base stations do not have access to the secret 
that was installed in the mobile una by the provider. 50 
Only the base stations which successfully interacted 
with the mobile unit have the shared secret data field; 
and that number can be limited by the provider simply 
by directing the mobile unit to create a new shared se- 
cret data field. 55 

Another feature of this arrangement is that the 
more elaborate authentication process that utilizes 
the secret, which is more time consuming and which 



takes place only through involvement of the provider, 
occurs infrequently; when a mobile unit first enters 
the cell (or when it is suspected that the shared secret 
data field has been compromised). 

Call originations, call terminations, and other 
functions are authenticated using essentially the 
same authentication protocol and the same hashing 
function. The few differences manifest themselves In 
the information that is hashed. 

Brief Description of the Drawing 

FIG. 1 illustrates an arrangement of network pro- 
viders and cellular radio providers interconnected 
for service to both stationary and mobile tele- 
phones and the like; 

FIG. 2 depicts the process for directing the crea- 
tion of a shared secret data field and the verifi- 
cation of same; 

FIG. 3 depicts the registration process in a visited 
base station, for example, when the mobile unit 
first enters the cell serviced by the base station; 
FIG. 4 shows the elements that are concatenated 
and hashed to create the shared secret data; 
FIG. 5 shows the elements that are concatenated 
and hashed to create the verification sequence; 
FIG. 6 shows the elements that are concatenated 
and hashed to create the registration sequence 
when the mobfle unit goes on the air; 
FIG. 7 shows the elements that are concatenated 
and hashed to create the call initiation sequence; 
FIG. 8 depicts the speech encryption and de- 
cryption process in a mobile unit; 
FIG. 9 shows the elements that are concatenated 
and hashed to create the re-authentication se- 
quence; 

FIG. 10 illustrates the three stage process for en- 
crypting and decrypting selected control and 
data messages; and 

FIG. 11 presents a block diagram of a mobile 
unif s hardware. 

Detailed Description 

In a mobile cellular telephone arrangement there 
are many mobile telephones, a much smaller number 
of cellular radio providers (with each provider having 
one or more base stations) and one or more switching 
network providers (common carriers). The cellular ra- 
dio providers and the common carriers combine to al- 
low a cellular telephone subscriber to communicate 
with both cellular and non-cellular telephone sub- 
scribers. This arrangement is depicted diagrammatk 
cally in FIG. 1, where common carrier I and common 
carrier II combine to form a switching network com- 
prising switches 10-14. Stationary units 20 and 21 are 
connected to switch 10, mobile units 22 and 23 are 
free to roam, and base stations 30-40 are connected 
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to switches 10-14. Base stations 30-34 belong to pro- 
vider 1, base stations 35 and 36 belong to provider 2, 
base station 37 belongs to provider 4, and base sta- 
tions 38-40 belong to provider 3. For purposes of this 
disclosure, a base station is synonymous with a cell s 
wherein one or more transmitters are found. A collec- 
tion of cells makes up a cellular geographic service 
area (CGSA) such as, for example, base stations 30, 
31, and 32 in FIG. 1. 

Each mobile unit has an electronic serial number 10 
(ESN) that is unique to that unit The ESN number is 
installed in the unit by the manufacturer, at the time 
the unit is built (for example, in a read-only-memory), 
and it is unalterable. It is accessible, however. 

When a customer desires to establish a service is 
account for a mobile unit that the customer owns or 
leases, the service provider assigns to the customer 
a phone number (MINI designation), an area code 
designation (MIN2 designation) and a "secret" (A- 
key). The MINI and MIN2 designations are associat- 20 
ed with a given CGSA of the provider and all base sta- 
tions in the FIG. 1 arrangement can Identify the 
CGSA to which a particular MIN2 and MINI pair be- 
longs. The A-key is known only to the customer's 
equipment and to the provider's CGSA processor (not 25 
explicitly shown in FIG. 1). The CGSA processor 
maintains the unifs ESN, A-key, MINI and MIN2 des- 
ignations and whatever other information the service 
provider may wish to have. 

With the MINI and the MIN2 designations and 30 
the A-key installed, the customer's unit is initialized 
for service when the CGSA processor sends to the 
mobile unit a special random sequence (RANDSSD), 
and a directive to create a "shared secret data" (SSD) 
field. The CGSA sends the RANDSSD, and the SSD 35 
field generation directive, through the base station of 
the cell where the mobile unit is present Creation of 
the SSD field follows the protocol described in FIG. 
2. 

As an aside, in the FIG. 1 arrangement each base 40 
station broadcasts information to all units within its 
cell on some preassigned frequency channel (broad- 
cast band). In addition, it maintains two way commu- 
nications with each mobile unit over a mutually 
agreed, (temporarily) dedicated, channel. The man- 45 
ner by which the base station and the mobile unit 
agree on the communications channel is unimportant 
to this invention, and hence it is not described in detail 
herein. One approach may be, for example, for the 
mobile unit to scan all channels and select an empty 50 
one. It would then send to the base station its MIN2 
and MINI designations (either in plaintextfbrm or en- 
ciphered with a public key), permitting the base sta- 
tion to initiate an authentication process. Once au- 
thenticated communication is established, if neces- 55 
sary, the base station can direct the mobOe station to 
switch to another channel. 

As described in greater detail hereinafter, in the 



course of establishing and maintaining a call on a mo- 
bfle telephony system of this invention, an authenti- 
cation process may be carried out a number of times 
throughout the conversation. Therefore, the authen- 
tication process employed should be relatively se- 
cure and simple to implement To simplify the design 
and lower the implementation cost both the mobile 
unit and the base station should use the same proc- 
ess. 

Many authentication processes use a hashing 
function, or a one-way function, to implement the 
processes. A hashing function performs a many-to- 
one mapping which converts a "secret" to a signature. 
The following describes one hashing function that is 
simple, fast effective, and flexible. It is quite suitable 
for the authentication processes of this invention but, 
of course, other hashing functions can be used. 

The Jumble Process 

The Jumble process can create a "signature" of 
a block of d "secret" data words b(i), with the aid of a 
k-word key x(|), where d, I, j, and k are Integers. The 
"signature" creation process is carried out on one 
data word at a time. For purposes of this description, 
the words on which the Jumble process operates are 
8 bits long (providing a range from 0 to 255, inclusive), 
but any other word size can be employed. The "se- 
cret" data block length is incorporated in the saw 
tooth function 
s d (t) = t for OS fc§ d - 1 
s d (t) = 2d - 2 - 1 for ds ts 2d - 3, and 
s tf (t) = s d (t + 2d-2)forallt 

This function is used in the following process where, 
starting with z= 0 and i= 0, for successively increasing 
integer values of i in the range 0 s 6d - 5, 

&) *>(Sd (')) is updated by: 

b(s d (i))= bfo (0) + x(i0 + SBOX(z) mod 256 

where 

• i k is i modulo k, SBOX(z) = y+ [y/ 2048] mod 
256, 

• y=(z©16)(z+ 111)(z), 

• [y/ 2048] is the integer portion of y divided 
by 2048, and © represents the bit-wise Exdu- 
sive-OR function; and 

b) z is updated with: z= z+ b(s d (i)) mod 256. 

It may be appreciated that in the process just de- 
scribed there is no real distinction between the data 
and the key. Therefore, any string that is used for au- 
thentication can have a portion thereof used as a key 
for the above process. Conversely, the data words 
concatenated with the key can be considered to be 
the "authentication string". It may also be noted that 
each word b(0, where 0s K d is hashed individually, 
one at a time, which makes the hashing "in place". No 
additional buffers are needed for the hashing process 
perse. 

The process just described can be easily carried 
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out with a very basic conventional processor, since 
the only operations required are: shifting (to perform 
the division by 2048), truncation (to perform the [ ] 
function and the mod 256 function), addition, multipli- 
cation, and bit-wise Exclusive-OR functions. s 

Returning to the SSD field initialization process 
of FIG. 2, when a RANDSSD sequence and the direc- 
tive to create a new SSD field (arrow 100 in FIG. 2) 
are received by the mobile station, a new SSD field 
is generated in accordance with FIG. 4. The mobile 10 
unit concatenates the ESN designation, the A-key, 
and the RANDSSD sequence to form an authentica- 
tion string. The authentication string is applied to 
Jumble block 101 (described above) which outputs 
the SSD field. The SSD field comprises two sub- 15 
fields: the SSD-A subf ield which is used to support 
authentication procedures, and the SSD-B subfield 
which is used to support voice privacy procedures 
and encryption of some signaling messages (descri- 
bed below). It may be noted that a larger number of 20 
SSD subfields can be created; either by subdividing 
the SSD field formed as described above or by first 
enlarging the SSD field. To increase the number of 
bits in the SSD field one needs only to start with a 
larger number of data bits. As wDI be appreciated from 25 
the disclosure below, that is not a challenging require- 
ment 

The home CGSA processor knows the ESN and 
the A-key of the mobile unit to which the received 
MIN2 and MINI designations were assigned. It also 30 
knows the RANDSSD sequence that it sent There- 
fore, the home CGSA processor is in position to du- 
plicate the SSD field creation process of the mobile 
unit By concatenating the RANDSSD signal with the 
ESN designation and the A-key, and with the above- 36 
described Jumble process, the CGSA processor cre- 
ates a new SSD field and partitions it into SSD-A and 
SSD-B subfields. However, the SSD field created in 
the home CGSA processor must be verified. 

In accordance with FIG. 2, verification of the ere- 40 
ated SSD field is initiated by the mobile unit The mo- 
bile unit generates a challenge random sequence 
(RANDBS sequence) in block 102 and sends it to the 
home CGSA processor through the serving base sta- 
tion (the base station that serves the area in which 45 
the mobfle unit is located). In accordance with FIG. 5, 
the home CGSA processor concatenates the chal- 
lenge RANDBS sequence, the ESN of the mobOe 
unit the MINI designation of the mobile unit, and the 
newly created SSD-A to form an authentication string so 
which is applied to the Jumble process. In this in- 
stance, the Jumble process creates a hashed authen- 
tication signal AUTHBS which is sent to the mobfle 
station. The mobile station also combines the 
RANDBS sequence, its ESN designation, its MINI 55 
designation and the newly created SSD-A to form an 
authentication string that is applied to the Jumble 
process. The mobile station compares the result of its 



Jumble process to the hashed authentication signal 
(AUTHBS) received from the home CGSA processor. 
If the comparison step (block 104) indicates a match, 
the mobile station sends a confirmation message to 
the home CGSA processor indicating the success of 
the update in the SSD field. Otherwise, the mobile 
station reports on the failure of the match compari- 
son. 

Having initialized the mobile station, the SSD 
field remains in force until the home CGSA processor 
directs the creation of a new SSD field. That can oc- 
cur, for example, if there is reason to believe that the 
SSD field has been compromised. At such a time, the 
home CGSA processor sends another RANDSSD se- 
quence to the mobile unit, and a directive to create a 
new SSD field. 

As mentioned above, in cellular telephony each 
base station broadcasts various informational signals 
for the benefit of all of the mobile units in its cell. In 
accordance with FIG. 1 management, one of the sig- 
nals broadcast by the base station is a random or 
pseudorandom sequence (RAND sequence). The 
RAND sequence Is used by various authentication 
processes to randomize the signals that are created 
and sent by the mobile units. Of course, the RAND se- 
quence must be changed periodically to prevent re- 
cord/ playback attacks. One approach for selecting 
the latency period of a RAND signal is to make it 
smaller than the expected duration of an average call. 
Consequently, a mobile unit, in general, is caused to 
use different RAND signals on successive calls. 

In accordance with one aspect of this invention, 
as soon as the mobile unit detects that it enters a cell 
it registers itself with the base unit so that it can be 
authenticated. Only when a mobile unit is authenti- 
cated can it initiate calls, or have the base station di- 
rect calls to it 

When the mobile unit begins the registration 
process it accepts the RAND sequence broadcast by 
the base station and, in turn, it sends to the serving 
base station its MINI and MIN2 designations and its 
ESN sequence (in plaintext) as well as a hashed au- 
thentication string. According to FIG. 6, the hashed 
authentication string is derived by concatenating the 
RAND sequence, the ESN sequence, the MINI des- 
ignation and the SSD-A subfield to form an authen- 
tication string; and applying the authentication string 
to the Jumble process. The hashed authentication 
string at the output of the Jumble process is sent to 
the serving base station together with the ESN se- 
quence. 

In some embodiments, ail or part of the RAND se- 
quence used by the mobile unit is also sent to the 
serving base station (together with the ESN se- 
quence and the MINI and MIN2 designations), be- 
cause the possibility exists that the RAND value has 
changed by the time the hashed authentication string 
reaches the base station. 
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On the base station side, the serving base sta- 
tion knows the RAND sequence (because the base 
station created it) and it also knows the ESN and the 
MIN2 and MINI designations with which the mobile 
unit identified itself. But the serving base station s 
does not know the SSD field of the mobile unit What 
it does know is the identity of the mobile unifs home 
CGSA processor (from the MINI and MIN2 designa- 
tions). Consequently, it proceeds with the authenti- 
cation process by sending to the mobile unifs home 10 
CGSA processor the MINI designation, the ESN se- 
quence, the hashed authentication string that the 
mobile unit created and transmitted, and the RAND 
sequence that the serving base station broadcast 
(and which the mobile unit incorporated in the created is 
hashed authentication string). From the mobile unit's 
MINI designation and ESN sequence the home 
CGSA processor knows the mobile unit's identity and, 
hence, the mobile unifs SSD-A subf iekJ. Therefore it 
can proceed to create an authentication string just as 20 
the mobile unit did, and apply it to the Jumble process 
(FIG. 6). If the hashed authentication string created 
by the mobile unifs home CGSA processor matches 
the hashed authentication string created in the mo- 
bile unit and supplied by the serving base station, 25 
then verification is deemed successful. In such a 
case, the home CGSA processor supplies the serving 
base station with the unifs SSD field. As an aside, to 
keep the ESN designation and the SSD field secure, 
the communication between the base stations and 30 
the CGSA processor is carried in encrypted form. 

In the above-described protocol, the mobile unifs 
CGSA processor attempts to verify the validity of the 
hashed authentication string. When the verification is 
unsuccessful, the CGSA processor informs the serv- 35 
ing base station that the mobile unit was not authen- 
ticated and may suggest that either the contact with 
the mobile unit be dropped or that the mobile unit be 
directed to retry the registration process. To retry the 
registration process the home CGSA processor can 40 
either continue participation in the authentication 
process or it can delegate it to the serving base sta- 
tion. In the latter alternative, the serving base station 
informs the home CGSA processor of the ESN se- 
quence and the MINI designation of the mobile unit 45 
and the CGSA processor responds with the SSD field 
of the mobile unit and the RANDSSD with which the 
SSD field was created. Authentication, in the sense 
of creating a hashed authentication string and com- 
paring it to the hashed authentication string sent by so 
the mobile unit is then carried out by the serving 
base station. A retry directive can then be carried out 
without the home CGSA process by the serving sta- 
tion sending the RANDSSD to the mobile unit This 
"registration" protocol is depicted in FIG. 3. 55 

Once the mobile unit has been "registered" at the 
serving base station (via the above-described proc- 
ess) the serving base station possesses the ESN and 

6 



the SSD field of the mobile unit and subsequent au- 
thentication processes in that cell can proceed in the 
serving base station without reference to the home 
CGSA processor - except one. Whenever, for any 
reason, it is desirable to alter the SSD field, commu- 
nication is effectively between the home CGSA proc- 
essor and the mobile unit and the serving base sta- 
tion acts only as a conduit for this communication. 
That is because creation of a new SSD field requires 
an access to the secret A-key, and access to the A- 
key is not granted to anyone by the CGSA processor. 
Accordingly, when a new SSD field is to be created 
and the mobile unit is not in the area of the home 
CGSA, the following occurs: 

• the home CGSA processor creates a 
RANDSSD sequence and alters the SSD field 
based on that RANDSSD sequence, 

• the home CGSA processor supplies the serv- 
ing base station with the RANDSSD sequence 
and the newly created SSD field, 

• the serving base station directs the mobile unit 
to alter its SSD field and provides the mobile unit 
with the RANDSSD sequence, 

• the mobile unit alters the SSD field and sends 
a challenge to the serving base station, 

• the serving base station creates the AUTHBS 
string (described above) and sends it to the mo- 
bile unit and 

• the mobile unit verifies the AUTHBS string and 
informs the serving base station that both the 
mobile unit and the serving base station have the 
same SSD fields. 

Having been registered by the serving base sta- 
tion, the mobile unit can initiate calls with an authen- 
tication process as depicted in FIG. 7. The call initia- 
tion sequence concatenates signals RAND, ESN, 
SSD-A and at least some of the called party's identi- 
fication (phone) number (MIN3 in FIG. 7). The concat- 
enated signals are applied to the Jumble process to 
develop a hashed authentication sequence that can 
be verified by the serving base station. Of course, to 
permit verification at the serving base station, the 
called party's identification number must also be 
transmitted in a manner that can be received by the 
base station (and, as before, perhaps a portion of the 
RAND signal), i.e., in plaintext Once the authentica- 
tion sequence is verified, the base station can proc- 
ess the call and make the connection to the called 
party. 

The protocol for connecting to a mobile unit when 
it is a "called party" follows the registration protocol 
of FIG. 6. That is, the serving base station requests 
the called mobile station to send an authentication . 
sequence created from the RAND sequence, ESN 
designation, MINI designation and SSD-A subfield. 
When authentication occurs, a path is setup between 
thet>ase station and the called party mobile unit for 
the latter to receive data originating from, and send 
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data to, the mobile unit (or stationary unit) that origin- 
ated the call. 

It should be noted that all of the authentications 
described above are effective only (in the sense of 
being verified) with respect to the authenticated s 
packets, or strings, themselves. To enhance security 
at other times, three different additional security 
measures can be employed. They are speech encryp- 
tion, occasional re-authentication, and control mes- 
sage encryption. 10 

Speech Encryption 

The speech signal is encrypted by first convert- 
ing it to digital form. This can be accomplished in any is 
number of conventional ways, with or without com- 
pression, and with or without error correction codes. 
The bits of the digital signals are divided into succes- 
sive groups of K bits and each of the groups is en- 
crypted. More specifically, in both the mobile unit and 20 
the base station the RAND sequence, the ESN and 
MINI designations, and the SSD-B subfield are con- 
catenated and applied to the Jumble process. The 
Jumble process produces 2K bits and those bits are 
divided into groups A and B of K bits each. In the mo- 25 
bile unit group A is used for encrypting outgoing 
speech, and group B is used for decrypting incoming 
speech. Conversely in the base station, group A is 
used for decrypting incoming speech and group B is 
used for encrypting outgoing speech. FIG. 8 depicts 30 
the speech encryption and decryption process. 

Re-authentication 

At the base station's pleasure, a re-authentica- 35 
tion process is initiated to confirm that the mobile unit 
which the base station believes is active, is, in fact, 
the mobile unit that was authorized to be active. This 
is accomplished by the base station requesting the 
mobile unit to send a hashed authentication se- 40 
quence in accordance with FIG. 9. With each such re- 
quest, the base station sends a special (RANDU) se- 
quence. The mobile unit creates the hashed authen- 
tication sequence by concatenating the RANDU se- 
quence, the area code MIN2 designation of the mo- 45 
bfle unit the ESN designation, the MINI designation 
and the SSD-A designation. The concatenated string 
is applied to the Jumble process, and the resulting 
hashed authentication string is sent to the base sta- 
tion. The base station, at this point, is in a position to 50 
verify that the hashed authentication string is valid. 

Control Message Cryptosystem 

The third security measure deals with ensuring 55 
the privacy of control messages. In the course of an 
established call, various circumstances may arise 
that call for the transmission of control messages. In 



some situations, the control messages can signifi- 
cantly and adversely affect either the mobile station 
that originated the call or the base station. For that 
reason, it is desirable to encipher (reasonably well) 
some types of control messages sent while the con- 
versation is in progress. Alternately, selected fields of 
chosen message types may be encrypted. This in- 
cludes "data" control messages such as credit card 
numbers, and call redefining control messages. This 
is accomplished with the Control Message Crypto- 
system. 

The Control Message Cryptosystem (CMC) is a 
symmetric key cryptosystem that has the following 
properties: 

1) it is relatively secure, 

2) it runs efficiently on an eight-bit computer, and 

3) it ts self-inverting. 

The cryptographic key for CMC is an array, 
TBOXIz], of 256 bytes which is derived from a ■secret" 
(e.g., SSD-B subfield) as follows: 

1. for each z in the range te z< 256, set 
TBOX[z]=z,and 

2. apply the array TBOXIz] and the secret (SSD- 
B) to the Jumble process. 

This is essentially what is depicted in elements 301, 
302 and 303 in FIG. 8 (except that the number of bits 
in FIG. 8 is 2K rather than 256 bytes). 

Once the key is derived, CMC can be used to en- 
crypt and decrypt control messages. Alternately, the 
key can be derived "on the fly" each time the key is 
used. CMC has the capability to encipher variable 
length messages of two or more bytes. CMC's oper- 
ation is self-inverting, or reciprocal. That is, precisely 
the same operations are applied to the ciphertext to 
yield plaintext as are applied to plaintext to yield ci- 
phertext Thus, a two-fold application of the CMC op- 
erations would leave the data unchanged. 

In the description that follows it is assumed that 
for the encryption process (and the decryption proc- 
ess) the plaintext (or the ciphertext) resides in a data 
buffer and that CMC operates on the contents of that 
data buffer such that the final contents of the data 
buffer constitute the ciphertext (or plaintext). That 
means that elements 502 and 504 in FIG. 10 can be 
one and the same register. 

CMC is comprised of three successive stages, 
each of which alters each byte string in the data buf- 
fer. When the data buffer is d bytes long and each 
byte is designated by b(i), for i in the range OS i< d: 

I. The first stage of CMC is as follows: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the 
range 0s r< d 

a form a variable q by: q = z$ low order 
byte of i, where $ is the bitwise boolean 
Exdusrve-OR operator, 

b. form variable k by: k = TBOXfo], 

c. update b(i) with: b(i)= b(i)+ k mod 256, 
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and 

d. update z with: z= b(i)+ z mod 266. 

II. The second stage of CMC is: 

1 . for all values of i in the range 0^ f< (d - 1)/ 2: 

b (i) = b(i)e(b(d - 1 - i) OR 1), where OR 5 
is the bitwise boolean OR operator. 

III. CMC's final stage is the decryption that is in- 
verse of the first stage: 

1. Initialize a variable z to zero, 

2. For successive integer values of i in the 10 
range 0^ i< d 

a. form a variable q by: q = z© low order 
byte of i, 

b. form variable k by: k = TBOXfa], 

c. update z with: z= b(i)+ z mod 256, 15 

d. update b(i) with: b(i)= b(i) - k mod 256. 
The three stage process employed to encrypt and de- 
crypt selected control and data messages is illustrat- 
ed in FIG. 10. In one preferred embodiment the first 
stage and the third stage are an autokey encryption 20 
and decryption, respectively. An autokey system is a 
time-varying system where the output of the system 

is used to affect the subsequent output of the system. 
For further reference regarding cryptography and au- 
tokey systems, see W. Diff ie and M.E. Hellman, Priv- 25 
acy and Authentication: An Introduction to Cryptop- 
raphy, Proc. of the I.E.E.E., Vol. 67, No. 3, March 
1979. 

Mobile Unit Apparatus 30 

FIG. 11 presents a block diagram of a mobile unit 
hardware. It comprises a control block 200 which in- 
cludes (though not illustrated) the key pad of a cellular 
telephone, the hand set and the unit* 8 power control 35 
switch. Control block 200 is connected to processor 
210 which controls the workings of the mobile unit, 
such as converting speech signals to digital represen- 
tation, incorporating error correction codes, encrypt- 
ing the outgoing digital speech signals, decrypting in- 40 
coming speech signals, forming and encrypting (as 
well as decrypting) various control messages, etc. 
Block 210 is coupled to block 220 which comprises 
the bulk of the circuitry associated with transmission 
and reception of signals. Blocks 200-220 are basically 45 
conventional blocks, performing the functions that 
are currently performed by commercial mobile tele- 
phone units (though the commercial units do not car- 
ry out encrypting and decrypting). To incorporate the 
authentication and encryption processes disclosed so 
herein, the apparatus of FIG. 11 also includes a block 
240 which comprises a number of registers coupled 
to processor 21 0, and a "personality" module 230 that 
is also coupled to processor 210. Module 230 may be 
part of the physical structure of a mobile telephone 55 
unit or it may be a removable (and pluggable) module 
that is coupled to the mobile telephone unit through 
a socket interface. It may also be coupled to proces- 

8 



sor 210 through an electromagnetic path, or connec- 
tion. In short, module 230 may be, for example, a 
"smart card". 

Module 230 comprises a Jumble processor 231 
and a number of registers associated with processor 
231. Alternately, in another preferred embodiment, 
only the A-Key is in the module 230. A number of ad- 
vantages accrue from installing (and maintaining) the 
A-key, and the MINI and MIN2 designations in the 
registers of module 230, rather than in the registers 
of block 240. It is also advantageous to store the de- 
veloped SSD field in the registers of module 230. It is 
further advantageous include among the registers of 
module 230 any needed working registers for carry- 
ing out the processes of processor 231. By including 
these elements in module 230, the user may carry 
the module on his person to use it with different mo- 
bile units (e.g. "extension ■ mobile units) and have 
none of the sensitive information be stored outside 
the module. Of course, mobile units may be produced 
with module 230 being an integral and permanent 
part of the unit In such embodiments. Jumble proc- 
essor 231 may be merged within processor 210. 
Block 240 stores the unit's ESN designation and the 
various RAND sequences that are received. 

Although the above disclosure is couched in 
terms of subscriber authentication in a cellular tel- 
ephony environment, and that includes personal 
communication networks which will serve portable 
wallet sized handsets, it is clear that the principles of 
this invention have applicability in other environ- 
ments where the communication is perceived to be 
not sufficiently secure and where impersonation is a 
potential problem. This includes computer networks, 
for example. 



Claims 

1. A method, carried out by a customer unit that 
maintains a code sequence, for establishing a 
communications channel with a base station, 
comprising the steps of: 

receiving from the base station a digital 
signal sequence; 

developing a string which includes the 
code sequence, the digital signal sequence, and 
a sequence of bits that is characteristic of the 
customer unit; 

hashing the string to develop a hashed 
string; and 

using the hashed string in further commu- 
nications with the base station. 

2. The method of claim 1 further comprising the 
steps of: 

creating a challenge string, 
transmitting the challenge string, 
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forming an authentication string that com- 
prises the challenge string, said sequence of bits 
that is characteristic of the customer unit, and at 
least a portion of the hashed string; 

hashing the authentication string to form s 
a hashed authentication string; 

receiving a verification string in response 
to said step of transmitting the challenge string; 

comparing the received verification string 
with the hashed authentication string; and 10 

transmitting results of said step of compar- 
ing. 

3. The method of claim 1 further comprising a step 

of verifying that the base station recognizes the is 
hashed string developed by said customer unit to 
be a valid hashed string, wherein said step of ver- 
ifying comprises the steps of: 

developing a challenge sequence; 

sending said challenge sequence to said 20 
base station; 

forming an authentication string from a 
concatenation of said challenge sequence, said 
hashed string and selected other information; 

hashing said authentication string to form 25 
a hashed authentication string; 

receiving a hashed signal from said base 
station that is related to said challenge sequence 
sent to said base station; 

comparing said hashed authentication 30 
string with said hashed signal; and 

reporting to said base station results of 
said step of comparing. 

4. A method, carried out by a customer unit that 35 
maintains a code sequence, for establishing a 
communications channel with a base station, 
comprising the steps of: 

receiving from the base station a digital 
signal sequence; 40 

developing a string which includes the dig- 
ital signal sequence, a sequence of bits that is 
characteristic of said customer unit and a key de- 
rived from the code sequence; 

hashing the string to develop a hashed 45 
string; and 

sending the hashed string to the base sta- 
tion. 

5. The method of claim 4 further comprising the so 
steps of determining that the mobile customer 

unit has entered the jurisdiction of the base sta- 
tion. 

6. The method of claim 4 including a step of initiat- 55 
ing the steps of receiving, developing, hashing 

and sending said hashed string when said base 
station desires to re-authenticate said customer 



unit 

7. A method, carried out by a customer unit that 
maintains a code sequence, for establishing a 
communications channel with a base station that 
has no knowledge of said code sequence, com- 
prising the steps of: 

(a) receiving from said base station a digital 
signal sequence; 

(b) developing a string which includes 

(1) a substring containing a sequence of 
bits that is characteristic of said customer 
unit, 

(2) a substring that is related to a specified 
action to be taken by said customer unit, 
which substring is selected from a set com- 
prising 

(i) a null string, 

(ii) a string of bits corresponding to a 
number assigned to said customer unit, 
and 

(ill) a string corresponding to the num- 
ber of another customer unit to which 
connection is sought, 

(3) a substring containing said digital sig- 
nal sequence, and 

(4) a substring containing a key derived 
from said code sequence; 

(c) hashing said string to develop a hashed 
string; and 

(d) sending said hashed string to said base 
station. 

8. A customer unit for communicating with a system, 
said customer unit including first means (200) for 
developing call initiation control signals and call 
progress control signals second means (210, 
230, 240) responsive to said call initiation control 
signals and call progress control signals for es- 
tablishing and maintaining a communication 
channel with said system in accordance with a 
protocol third means (200) for creating data sig- 
nals, and fourth means (220) for applying the 
data signals and the call control signals to said 
communication channel, said second means 
CHARACTERIZED BY: 

a processor responsive to said third 
means and said fourth means; 

means A (a register in block 240) fa devel- 
oping an identifier signal that is unique to said 
customer unit; 

means B for storing (240) a temporary 
string signal (RAND) received from said system; . 

means C for storing (232) an identifier sig- 
nal (MIN) supplied by an owner of said system, a 
code sequence key signal (A-key) supplied by 
said owner of said system, an authentication key 
signal (SSD-A), and a speech encryption key sig- 
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nal (SSD-B); 

means D (231) responsive to said proces- 
sor for hashing an applied string and developing 
thereby a hashed output; 

means E for applying said authentication s 
key to means D. 

9. The customer unit of daim 8 wherein at least the 
portion of means C that stores the code se- 
quence key signal is in a removable module. 10 

1 0. The customer unit of claim 9 wherein said module 
is adapted to be connected to said processor via 
eiectromagnetically coupled connections. 

15 

11. A method carried out by a communications sys- 
tem for establishing a communications channel 
with a customer unit comprising the steps of: 

maintaining an authentication key of said 
customer unit; 20 

receiving a first hashed authentication 
string from said customer unit; 

forming a local authentication string by 
combining said authentication key with other in- 
formation; 25 

hashing said local authentication string to 
form a local hashed authentication string; and 

comparing said local hashed authentica- 
tion string with the first hashed authentication 
string. 30 
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@ Service provision authentication protocol. 

@ A protocol for authenticating a cellular tele- 
phone to a service provider for the purpose of 
preventing the piracy of cellular services. A 
service provider assigns a unique "secret", 
along with other information such as a tele- 
phone number, to each cellular telephone when 
the telephone service is established with the 
service provider. Each base station of a service 
provider continuously broadcasts a periodically 
changing random number to all of the cellular 
telephones within the base station's jurisdic- 
tion. When a cellular telephone first enters the 
jurisdiction of a base station, It registers Itself 
with the base station by concatenating a secret 
password and the most recently broadcast ran- 
dom number, along with other information, and 
passing the concatenated information to a hash 
function. The cellular telephone then sends the 
output of the hash function, along with other 
identifying information to the service provider. 
The service provider, upon learning of the cellu- 
lar telephone's identity, feeds the secret assig- 
ned to that cellular telephone and the random 
number, along with other Information, into the 
same hash function. When the result of the 
hashing performed by the service provider 
matches that provided by the cellular tele- 
phone, authentication for that cellular tele- 
phone is complete. Thereupon, the provider 
sends the cell a shared secret data field which is 
known to the mobile unit, and subsequent 
authentication processes are carried out be- 
tween the mobile unit and the cell itself. 
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